AppSec and Chess: Two different worlds with remarkable parallels

Updated: 18 January, 2024

4 January, 2024

At Codific we are very proud to be the main sponsor of Chess International Master Emin Ohanyan who recently won the European Rapid and Blitz Chess Championships hosted in Zagreb, Croatia. Congratulations Emin! As a company dedicated to developing software solutions you may be wondering, why would we sponsor a chess player? There are two main reasons for this. First and most importantly, we are committed to the development of exceptional talent and this is not only limited to our employees. Emin is an exceptional talent and that is why we are committed to help him achieve his dream of becoming a World Chess Champion. Secondly, chess in many ways has parallels with what our company does, especially with our involvement in the Application Security (AppSec) industry. This blog post focuses on some of those parallels, giving further insight into the world of AppSec through the beautiful game of chess. 

IM Emin Ohanyan

Key takeaways

  • Strategic foresight in AppSec is akin to a chess player’s ability to think several steps ahead, crucial for anticipating and mitigating cyber threats.
  • Being prepared for unexpected challenges is vital in both chess and AppSec, highlighting the importance of robust recovery strategies.
  • Both chess and AppSec feature a virtually endless learning curve, emphasizing the need for continuous learning and adaptation.
  • Making informed trade-offs, whether in resource allocation in AppSec or in strategic sacrifices in chess, is key to achieving success.
  • Tools in AppSec, are as crucial as each chess pieces on the board, each serving a specific, strategic purpose.
  • SAMMY in the AppSec world parallels the strategic depth of chess, offering an innovative approach to managing AppSec complexities.


All about thinking ahead

In both AppSec and chess you need to think ahead and be able to predict what your opponent is going to do. The best chess players are able to think several steps ahead, which grants them a big advantage over their opponent. 

In the AppSec world, the experts are also able to do this by, for example, being able to think of threats and attack avenues that no one, sometimes not even the attackers are able to think about. By doing this, AppSec experts are able to already build software in a way that neutralizes these threats and attack avenues. Threat modeling is one the main ways this is done in the AppSec world. 


You need to have a plan for when things go wrong

In chess, things will go wrong eventually. You may make a mistake and hang an important piece, you may miss an important move or not see the move your opponent was planning to make. In those situations, it is important to plan ahead, you need to ensure that you have previously positioned your pieces in a way that allows you to recover. 

Same holds in AppSec. You need to make sure that you are doing things correctly from the beginning so when things go wrong, you are prepared. As we say in the world of application security: “It is not a matter of if you will be hacked, it is a matter of when”. To prepare for this, one of the most important things is to have a Disaster Recovery Plan in place that identifies all the assets (hardware, software, data), roles (responsibilities) and procedures (actions) for different scenarios. Similar to how in chess you also have to have a plan that identifies the different assets (pieces), roles (the way the pieces move) and procedures (moves) for different scenarios. 


There are tradeoffs you need to make

Some of the most impressive plays in chess involve sacrificing a piece, even an important piece like the queen, to get into a winning position. This is a tradeoff, you are giving up something for something in return. 

In AppSec, the same holds. Often you need to consider application security in the context of an organization with limited resources. Thus, if you spend these resources in improving your AppSec in one area, you may not have enough resources to improve your AppSec in others. To illustrate this further we can look at the SAMM Model. 

AppSec Programme: Software Assurance Maturity Model
The Software Assurance Maturity Model

SAMM is an AppSec programme that maps the different areas (business practices) in which you can expend resources to improve your application security. It offers a risk-based approach, meaning that the work and resources you use to improve your application security in the different business practices should be based on your organization’s risk appetite. In any case, when you spend more resources in one practice, say Policy and Compliance, you will have less resources to spend in other areas, like Secure Architecture. Therefore, same as in chess, AppSec has a lot of tradeoffs you need to consider. 


If you want to learn more about SAMM, then you can check out the free SAMM training


The learning curve in both is virtually endless

While being a relatively simple game, where the rules and the goal of it are easy to understand, chess has a tremendous learning curve, virtually endless. It is estimated that in chess, there are around 10^40 possible positions you can find yourself in, when sticking by the rules. Therefore, the learning curve is virtually endless, as in every single one of those positions there is an optimal move to make. 

The learning curve in AppSec is also virtually endless, with the world of cybercrime being ever expanding and evolving. The developing and refinement of new attack vectors, vulnerabilities and forms of malware is constant. Therefore, same as in chess, to be able to be good at AppSec you need to be constantly learning and keeping up with the evolution of the “game”. 


Start your AppSec learning  with the OWASP SAMM Training


Predefined optimal ways to play the game exist

In chess, every position has a best move, a move that grants you the biggest chances of winning. Optimal sequences of moves also exist. For example, depending on how you like to play the game there are different openings you can use and different responses to these openings. Being able to always recognize the best moves in every position is what separates a great player from just an amateur one.

In AppSec, it’s similar. There are a series of best practices that can provide you with the best chances of successfully defending and protecting a system. For example, there are several secure coding and deployment practices that are important during the implementation stage in the secure software development lifecycle (SSDLC). You can learn more about them here


To learn more about the secure software development lifecycle, check out this blog


In chess you have pieces, in AppSec tools

Finally, in chess every one of your pieces plays a role in your road to victory (or, hopefully not, defeat). You need to understand how to leverage each one in a correct way, understanding the roles they play, their overall importance and obviously, the way they move. Therefore, each piece serves as a tool you can use to win. 

Tools are also present in AppSec. For example, in the testing phase of the SSDLC, you can leverage static application security testing (SAST) and dynamic application security testing (DAST) tools to automate the testing process, removing the subjectivity from it and improving its efficiency. 

Nevertheless, as the SAMM model above shows, there are a lot of areas and practices to consider within AppSec. Managing all of that without a proper tool is not optimal, which is why we created SAMMY, our software assurance maturity model management tool

SAMMY, software assurance maturity model tool


Try it out for free here



In summary, the connection between chess and AppSec, as highlighted in this blog, reveals the importance of strategy, preparedness, and continuous learning in both fields. Chess, with its emphasis on foresight and adaptability, mirrors the challenges and decision-making processes in application security. Tools play a crucial role in both areas, aiding in efficient and effective management of resources and risks.

At Codific, our support for chess prodigy Emin Ohanyan aligns with our commitment to these principles, emphasizing strategic thinking and continuous improvement. This partnership reflects our dedication to excellence in the ever-evolving landscape of application security. We invite you to explore this fascinating intersection of chess and AppSec further through our OWASP SAMM training, embarking on a journey of discovery and mastery in the intricate world of application security. Moreover, make sure to check out SAMMY, for all your AppSec management needs.


Nicolas is the Product Manager of the Attendance Radar app at Codific. He is a certified Product Owner, an expert in digitalization and has a thorough understanding of the EdTech industry. Nicolas has an MSc in Business Information Management from the Rotterdam School of Management and a BSc in Economics and Business Economics from the Erasmus School of Economics. While having a non-technical educational background, Nicolas has strongly developed his technical expertise particularly around topics like data privacy and security, application security and secure software development, in the two years he has been working for Codific. This is especially the case when he started in his role as Product Manager, helping to guide the development of our Attendance Radar solution. If you have questions, reach out to me hereContact